diff options
Diffstat (limited to 'stap-gen-cert')
| -rwxr-xr-x | stap-gen-cert | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/stap-gen-cert b/stap-gen-cert new file mode 100755 index 00000000..bf87b572 --- /dev/null +++ b/stap-gen-cert @@ -0,0 +1,95 @@ +#!/bin/bash + +# Generate a certificate for the systemtap server and add it to the +# database of trusted servers for the client. +# +# Copyright (C) 2008, 2009 Red Hat Inc. +# +# This file is part of systemtap, and is free software. You can +# redistribute it and/or modify it under the terms of the GNU General +# Public License (GPL); either version 2, or (at your option) any +# later version. + +# Initialize the environment +. stap-env + +# Obtain a password from stdin and echo it. +function user_enter_password +{ + while true + do + while true + do + read -sp "Enter new password for systemtap server certificate/key database:" pw1 junk + echo "" >&2 + test "X$pw1" != "X" && break + done + while true + do + read -sp "Reenter new password:" pw2 junk + echo "" >&2 + test "X$pw2" != "X" && break + done + test "$pw1" = "$pw2" && break + echo "Passwords do not match" >&2 + done + + echo $pw1 +} + +# Obtain the certificate database directory name. +serverdb=$1 +if test "X$serverdb" = "X"; then + serverdb=$stap_ssl_db/server +fi +rm -fr $serverdb + +# Create the server's certificate database directory. +if ! mkdir -p -m 755 $serverdb; then + echo "Unable to create the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# Create the certificate database password file. Care must be taken +# that this file is only readable by the owner. +if ! (touch $serverdb/pw && chmod 600 $serverdb/pw); then + echo "Unable to create the server certificate database password file: $serverdb/pw" >&2 + exit 1 +fi + +# Generate a random password. +mkpasswd -l 20 > $serverdb/pw 2>/dev/null || \ +apg -a 1 -n 1 -m 20 -x 20 > $serverdb/pw 2>/dev/null || \ +user_enter_password > $serverdb/pw + +# Generate the server certificate database +if ! certutil -N -d $serverdb -f $serverdb/pw > /dev/null; then + echo "Unable to initialize the server certificate database directory: $serverdb" >&2 + exit 1 +fi + +# We need some random noise for generating keys +dd bs=123 count=1 < /dev/urandom > $serverdb/noise 2> /dev/null + +# Generate a request for the server's certificate. +certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $serverdb/stap-server.req -z $serverdb/noise 2> /dev/null +rm -fr $serverdb/noise + +# Create the certificate file first so that it always has the proper access permissions. +if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then + echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2 + exit 1 +fi + +# Now generate the actual certificate. +certutil -C -i $serverdb/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF +1 +3 +7 +8 +y +EOF +rm -fr $serverdb/stap-server.req + +# Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer +certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw |